Get Started Free

Dan Weston

Senior Curriculum Developer

In this exercise, you will set up and create a new cluster using BYOK. While this walk-through uses Amazon Web Services, the process is similar if you use Google Cloud Platform. At the end of the walk-through, be sure to review the official Confluent documentation that provides more information on configuring and setting up BYOK.

First, you need to log in to Confluent Cloud.

We've got our SecurityCourse environment, so we're going to select that and then click on Create a cluster.

The only cluster type that supports BYOK is dedicated, so we’re going to select that here. For demonstration purposes, we’re going to use a simple 1 CKU cluster. In production, you want to select a cluster size appropriate for your workload.

Click Begin configuration.


Here we need to make sure that you pick the same region as your Amazon Web Services (AWS).

The key we’ll use for this cluster is located in us-west-2, so we’re going to select that here. You can select your zone preference. For better resilience in case of a zonal outage, you may want to select Multi zone, however, for this exercise, we’re going to choose Single zone.


Next, we have the option to select our preferred networking type, for which we’ll choose Internet. If you’d like more information on the various networking options, be sure to check out the linked documentation underneath the options. In practice, you want to choose the network option that’s appropriate for your situation.


Now we’re going to click Continue and that’s going to bring us to the security options. This is where you select the option to use your own key. To make this a BYOK cluster, we’re going to select Self-Managed. Again, “bring your own key” means you’re using a self-managed key.


Clicking that brings up another set of options.

Before we dive into them, we want to call your attention to the fact that if at any time in the process you feel you want to get more information, there are a number of helpful links to the documentation right here in the interface.

So we need to get the Amazon Resource Name (ARN) from the Amazon Key Management Navigate to your AWS account and search for KMS in the search bar. Our top hit on that is the Key Management Service.

Since we don't have any keys, we need to create one. Before we do, make sure you are located in the same AWS zone as the cluster that we've been creating.

Click Create key.


You need to select a symmetric key that is used to encrypt and decrypt your data.


Next, add an Alias and enter the description of the key.


You need to set your key administrators and usage permissions as well.

Finally, review the options you have selected and click Finish.

You will be brought back to your keys. Remember, we need to get the Amazon Resource Name to paste it into our Confluent Cloud interface. Click on the alias for the key you just created. Copy the ARN number and paste it into your Confluent Cloud interface.


We need to take the code that was generated and paste it into the key policy back in AWS.

Copy the code that was generated and go back to the AWS interface.

You should still have the key we created. If not, navigate back to the Key Management Service (KMS) and click on the key alias.

Click on Switch to policy view, and then the Edit button.

We need to add to the existing key policy. Simply scroll to the bottom and paste it in just before the closing square bracket.

If you pasted it in the incorrect location you'll get an error.


If you want to cut off access, you can simply remove that policy information. Just remember that doing so will render your cluster unusable. You want to be very intentional about revoking access.

Ok, so now we’ve got our policy updated. Let’s head back to the Confluent Cloud console and click Continue, which brings us to a summary of our selections and gives us the option to name our cluster.


The best practice is to provide a meaningful name, so if you’ll be using the cluster in production for ksqlDB processing of telemetry streams, you might choose something like PROD-KSQL-Telemetry.

Below that, you can see the costs related to this, the usage limits and the uptime SLA.

Now we’re going to go ahead and launch the cluster.

And that’s it. After we launch the cluster, it will be ready in about five minutes.

Congratulations! You've successfully configured BYOK for your Confluent Cloud cluster.

As was mentioned earlier, there is no way to convert an existing cluster to use BYOK. Instead, you need to create a new cluster and replicate the data to the new one.

For more information be sure to check out the official documentation:

Encrypt Confluent Cloud Clusters Using Self-Managed Keys

Use the promo code SECURITY101 to get $25 of free Confluent Cloud Usage

Be the first to get updates and new content

We will only share developer content and updates, including notifications when new content is added. We will never send you sales emails. 🙂 By subscribing, you understand we will process your personal information in accordance with our Privacy Statement.